Intersections Data Breach. July

Transcription

1 Intersections Data Breach Consumer Notification Guide July

2

3 Table of contents Section I Introduction Section II State and Territory Regulations Alaska Arizona 7 Arkansas California Colorado Connecticut Delaware District of Columbia Florida Georgia 25 Hawaii Idaho Illinois Indiana 33 Iowa 35 Kansas Louisiana Maine Maryland Massachusetts Michigan Minnesota Mississippi Missouri Montana Nebraska Nevada 59 New Hampshire 61 New Jersey New York North Carolina North Dakota 71 Ohio 73 Oklahoma Oregon 77 Pennsylvania 79 Puerto Rico Rhode Island 83 South Carolina Tennessee 87 Texas Utah 91 Vermont Virgin Islands 95 Virginia 97 Washington West Virginia 101 Wisconsin 103 Wyoming Section III Federal Rules and Guidelines Office of Management and Budget (OMB) Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice FTC Health Breach Notification Rule HHS Breach Notification for Unsecured Health Information 113 Section IV Additional Law Enforcement Contacts National Alabama Kentucky New Mexico South Dakota 116 American Samoa Guam Northern Mariana Islands Section V About Intersections DataBreachServices@Intersections.com 3

4 introduction STATE One of the leading topics discussed in 2009 and continuing in 2010, by both state and federal lawmakers, is privacy protection, including data breach notification. Over the past five years 46 states, the District of Columbia, Puerto Rico and the Virgin Islands all have passed data breach notification regulations. The number of laws will continue to grow in the coming year and there continues to be much discussion regarding federal regulation as well. These requirements are designed to dictate who companies notify and the means in which they notify consumers in the event of a data breach. With so many state laws to consider though, companies who do business across the country can easily be confused and find themselves with difficulties especially considering the pressure they are under to get notices out to consumers quickly. A large data breach impacting consumers across multiple jurisdictions often can require a company to understand and comply with many, if not all laws which frequently conflict and contain subtle and not so subtle differences. The purpose of this Intersections Data Breach Consumer Notification Guide is to help companies better understand what states have data breach notification laws and what those laws require. Armed with this knowledge, companies can better plan for and react to the unfortunate event of a data breach. To find out the best ways to achieve a state of data breach readiness, please refer to the Intersections Seven Steps to Data Breach Readiness Guide. Intersections Inc. has been a leader in the fight against identity theft for over a decade. We have protected the identities of more than 30 million consumers and helped tens of thousands of individuals recover after a verified case of identity theft. We understand the harm that a corporate breach event can cause for companies and their customers, and we offer a full line of breach response products and services to provide both peace of mind and a compelling brand experience. The information, data and other content in this summary should not be considered as legal advice. It is provided to You as is and with no warranty whatsoever. Specifically, intersections inc. ( Intersections ) makes no warranty Regarding the accuracy or reliability of any information, data or other content provided in this summary and Under no circumstances will intersections be liable for any loss or damage caused by your reliance on the Information, data or other content contained in this summary. It is your responsibility to evaluate the accuracy, completeness and usefulness of any information, data or other Content provided in this summary. Please seek the advice of a legal professional, as appropriate, regarding the Evaluation of any specific information, data or other content provided in this summary DataBreachServices@Intersections.com

5 SUmmary of Law - EFFECTIVE DATE - 7/1/09 ALASKA What is a breach: Unauthorized acquisition, or reasonable belief of unauthorized acquisition, of personal information, including acquisition by: photocopying; facsimile; other paper-based method; a device, including a computer that can read, write, or store information that is represented in numerical form; and other methods not identified. When is notice required: Computerized data containing personal information: unencrypted. Personal information: First name or first initial and last name in combination with (1) Social Security number; (2) drivers license or state identification number; (3) account, credit or debit card number; (4) personal code to access an account including a security code, access code, personal identification number or password; or (5) passwords, personal identification numbers, or other access codes for financial accounts in combination with any required security code, access code, or password that would permit access to an individual financial account. Who has to notify: An information collector that owns or licenses personal information in any form. An information recipient that maintains personal information must notify and cooperate with the information distributor that owns or licenses the personal information. Who has to be notified: The individual. The nationwide credit reporting agencies must be notified if more than 1,000 individuals receive notice at one time. Regulatory/law enforcement notice not specifically addressed. Required contents of notice: Not specifically addressed. Timing of notice: The most expedient manner possible and without unreasonable delay. Notification may be delayed if a law enforcement agency determines that it will impede a criminal investigation. Notification is required after the law enforcement agency determines that it will no longer interfere with the investigation. Notification may be delayed to determine the scope of the breach and restore the reasonable integrity of the system. Permitted delivery of notice: Written. Electronic, if the person s primary method of communication is electronic or if electronic notice is consistent with E-Sign requirements. Substitute notice may be done if cost of providing notice exceeds $150,000 or number of persons exceeds 300,000 or sufficient contact information not available. All of the following must be done: (i) ; (ii) web site posting; and (iii) notice to major statewide media DataBreachServices@Intersections.com 5

6 Alaska (continued) WHEN IS NOTICE NOT REQUIRED Harm trigger: Notice is not required if, after investigation and written notice to the Attorney General, there is no reasonable likelihood that harm has resulted or will result. The determination must be documented in writing for five years. Statutory: Credit reporting agency notice provision does not apply if the information collector is subject to the Gramm-Leach-Bliley Act (GLB). Good Faith: Notice is not required if there has been a good faith acquisition of personal information by an employee or agent of an information collector for a legitimate purpose if the employee or agent does not use the personal information for a purpose unrelated to a legitimate purpose or make further unauthorized disclosure. Encryption: Notice is not required if the personal information was encrypted or redacted and the encryption key has not been accessed or acquired. STATUTE CITATION Alaska Stat through basis/get_bill_text. asp?hsid=hb0065z&session=25 ATTORNEY GENERAL Daniel S. Sullivan, Esquire Attorney General of Alaska 123 Fourth Street Diamond Courthouse Juneau, AK FBI Anchorage 101 East Sixth Avenue Anchorage, Alaska Secret Service Anchorage DataBreachServices@Intersections.com

7 SUmmary of Law - EFFECTIVE DATE - 12/31/06 ARIZONA What is a breach: Unauthorized acquisition and access to unencrypted or unredacted computerized data. When is notice required: Computerized data containing personal information: unencrypted or unredacted. Personal information: First name or first initial and last name in combination with (1) Social Security number; (2) drivers license or identification card number; or (3) financial account number, credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an individual financial account. Who has to notify: A person that owns or licenses computerized data. A person that maintains computerized data must notify and cooperate with the owner or licensee. Who has to be notified: The individual. Regulatory/law enforcement notice not specifically addressed. Required contents of notice: Not specifically addressed. Timing of notice: The most expedient manner possible and without unreasonable delay. Notification may be delayed if law enforcement agency advises that it will impede a criminal investigation. Notification is required after the law enforcement agency determines that it will not compromise the investigation. Notification may be delayed to determine the nature and scope of the breach, to identify individuals affected, or to restore the reasonable integrity of the system. Permitted delivery of notice: Written. Electronic, if the person s primary method of communication is electronic or if electronic notice is consistent with E-Sign requirements. Telephonic. Substitute notice may be done if cost of providing notice exceeds $50,000 or number of persons exceeds 100,000 or sufficient contact information not available. All of the following must be done: (i) ; (ii) web site posting; and (iii) notice to major statewide media DataBreachServices@Intersections.com 7

8 ARIZONA (continued) WHEN IS NOTICE NOT REQUIRED Harm trigger: Notice is not required if the acquisition is not reasonably likely to cause substantial economic loss. Notice is not required if, after a reasonable investigation, there is a determination that a breach of the security of the system has not occurred or is not reasonably likely to occur. Statutory: Exemptions from certain requirements for entities subject to the Gramm-Leach-Bliley Act (GLB) Title V and for Health Insurance Portability and Accountability Act (HIPAA) covered entities. Entities are deemed to be in compliance with some or all of the state statute s requirements if they are in compliance with rules, regulations, procedures, guidance or guidelines established by the primary or functional federal regulator. Existing Policy: Certain notice requirements may be satisfied if a person maintains its own notification procedures; and if the person notifies the affected individuals in accordance with its policies. Good Faith: Notice is not required if there has been a good faith acquisition by an employee or agent of the person if the personal information is not used for an unrelated purpose or subject to further willful unauthorized disclosure. Public Records: Notice is not required if the information consists of publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media. Encryption: Notice is not required if the personal information was encrypted or redacted. STATUTE CITATION Ariz. Rev. Stat. Ann (h) legtext/47leg/2r/bills/sb1338s. htm?printformat=yes ATTORNEY GENERAL Terry Goddard, Esquire Attorney General of Arizona 1275 W. Washington Street Phoenix, AZ FBI Phoenix 201 East Indianola Avenue Suite 400 Phoenix, Arizona Secret Service Phoenix Tucson DataBreachServices@Intersections.com

9 SUmmary of Law - EFFECTIVE DATE - 8/12/05 Arkansas What is a breach: Unencrypted or unredacted personal information that was, or is reasonably believed to have been, acquired by an unauthorized person. When is notice required: Computerized data containing personal information: unencrypted or unredacted. Personal information: First name or first initial and last name in combination with (1) Social Security number; (2) drivers license or identification card number; or (3) financial account number, credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an individual financial account; and (4) medical information (any individually identifiable information regarding the individual s medical history or medical treatment or diagnosis by a health care professional). Who has to notify: A person that owns or licenses computerized data. A person that maintains computerized data must notify the owner or licensee. Who has to be notified: The individual. Regulatory/law enforcement notice not specifically addressed. Required contents of notice: Not specifically addressed. Timing of notice: The most expedient time and manner possible and without unreasonable delay. Notification may be delayed for legitimate needs of law enforcement if notification would impede a criminal investigation. Notification is required after the law enforcement agency determines that it will not compromise the investigation. Notification may be delayed to determine the scope of the breach and restore the reasonable integrity of the system. Permitted delivery of notice: Written. Electronic, if electronic notice is consistent with E-Sign requirements. Substitute notice may be done if cost of providing notice exceeds $250,000 or number of persons exceeds 500,000 or sufficient contact information not available. All of the following must be done: (i) ; (ii) web site posting; and (iii) notice to major statewide media DataBreachServices@Intersections.com 9

10 Arkansas (continued) WHEN IS NOTICE NOT REQUIRED Harm trigger: Notice is not required if, after investigation, a business determines that there is no reasonable likelihood of harm. Statutory: Entities are deemed to be in compliance with some or all of the state statute s requirements if they are in compliance with or regulated by state or federal law that provides greater protection and at least as thorough disclosure requirements. Existing Policy: Certain notice requirements may be satisfied if a person or business maintains its own notification procedures consistent with the timing requirements of state law; and if the person or business notifies affected individuals in accordance with its policies. Good Faith: Notice is not required if there has been a good faith acquisition of personal information by an employee or agent of the person or business if the personal information is not otherwise used or subject to further unauthorized disclosure. Encryption: Notice is not required if the personal information was encrypted. STATUTE CITATION Ark. Code (2006) ar.us/searchcenter/pages/ ArkansasCodeSearchResultPage.aspx ftp:// acts/2005/public/act1526.pdf ATTORNEY GENERAL Dustin McDaniel, Esquire Attorney General of Arkansas 200 Tower Building 323 Center Street Little Rock, AR FBI Little Rock 24 Shackleford West Boulevard Little Rock, Arkansas Secret Service Little Rock DataBreachServices@Intersections.com

11 SUmmary of Law - EFFECTIVE DATE - 7/1/03, AMENDED 1/1/10 Section : California What is a breach: Unencrypted or unredacted computerized personal information that was, or is reasonably believed to have been, acquired by an unauthorized person. When is notice required: Computerized data containing personal information: unencrypted or unredacted. Personal information: First name or first initial and last name in combination with (1) Social Security number; (2) drivers license or identification card number; (3) account number, credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an individual financial account; (4) medical information; or (5) health information. For purposes of this section, medical information means any information regarding an individual s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional. Who has to notify: A person that owns or licenses computerized data. A person that maintains computerized data must notify the owner or licensee. A state guidance document distinguishes between data owners and data custodians, providing that data owners should require custodians to notify owners upon detection of an incident. See Who has to be notified: The individual. Regulatory/law enforcement notice not specifically addressed. State guidance document recommends notifying law enforcement and consumer reporting agencies. See secbreach.pdf. Required contents of notice: Not specifically addressed. Timing of notice: The most expedient time possible and without unreasonable delay. Notification may be delayed to determine the scope of the breach and restore the reasonable integrity of the system. Notification may be delayed for legitimate needs of law enforcement if notification would impede a criminal investigation. State guidance document recommends notifying individuals within 10 business days. See DataBreachServices@Intersections.com 11

12 California (continued) Permitted delivery of notice: Written. Electronic, if electronic notice is consistent with E-Sign requirements. Substitute notice may be done if cost of providing notice exceeds $250,000 or number of persons exceeds 500,000 or sufficient contact information not available. All of the following must be done: (i) (when available); (ii) web site posting; and (iii) notice to major statewide media. Section (State Agencies): Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Section (Clinics, Health Facilities, Home Health Agencies, and Hospices): No later than 5 business days after the unlawful or unauthorized access, use, or disclosure of a patient s medical information has been detected, a clinic, health facility, home health agency, or hospice shall report to: The State Department of Public Health; and The affected patient or the patient s representative at the last known address. Unauthorized means the inappropriate access, review, or viewing of patient medical information without a direct need for medical diagnosis, treatment, or other lawful use as permitted by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1 of the Civil Code) or any other statute or regulation governing the lawful access, use, or disclosure of medical information. Medical information means any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient s medical history, mental or physical condition, or treatment. Individually identifiable means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient s name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual s identity. A clinic, health facility, home health agency, or hospice shall delay the reporting of any unlawful or unauthorized access to, or use or disclosure of, a patient s medical information beyond 5 business days if a law enforcement agency or official provides the clinic, health facility, home health agency, or hospice with a written or oral statement that compliance with the reporting requirements would be likely to impede the law enforcement agency s activities and specifies a date upon which the delay shall end, not to exceed 60 days after a written request is made, or 30 days after an oral request is made DataBreachServices@Intersections.com

13 (continued) California A law enforcement agency or official may request an extension of a delay based upon a written declaration (1) that there exists a bona fide, ongoing, significant criminal investigation of serious wrongdoing, (2) that notification of patients will undermine the law enforcement agency s activities, and (3) that specifies a date upon which the delay shall end, not to exceed 60 days after the end of the original delay period. If the statement of the law enforcement agency or official is made orally, then the clinic, health facility, home health agency, or hospice shall do the following: (A) Document the oral statement, including, but not limited to, the identity of the law enforcement agency or official making the oral statement and the date upon which the oral statement was made; (B) Limit the delay in reporting the unlawful or unauthorized access to, or use or disclosure of, the patient s medical information to the date specified in the oral statement, not to exceed 30 calendar days from the date that the oral statement is made, unless a written statement is received during that time. A clinic, health facility, home health agency, or hospice shall submit a report that is delayed pursuant to this subdivision not later than five business days after the date designated as the end of the delay DataBreachServices@Intersections.com 13

14 California (continued) WHEN IS NOTICE NOT REQUIRED Existing Policy: Certain notice requirements may be satisfied if a person or business maintains its own notification procedures consistent with the timing requirements of state law; and if the person or business notifies affected individuals in accordance with its policies. Good Faith: Notice is not required if there has been a good faith acquisition of personal information by an employee or agent of a person or business if the personal information is not otherwise used or subject to further unauthorized disclosure. Public Records: Notice is not required if the information consists of records of publicly available information that is lawfully made available to the general public from federal, state, or local government records. Encryption: Notice is not required if the personal information was encrypted. STATUTE CITATION Cal. Civ. Code title code/code.html?sec=civ&codesecti on= Cal. Civ. Code title code/code.html?sec=civ&codesecti on= Cal. Health and Safety Code bill_ _chaptered.pdf ATTORNEY GENERAL Edmund G. Brown, Jr., Esquire Attorney General of California 1300 I Street, Suite 1740 Sacramento, CA FBI Los Angeles Wilshire Blvd. Suite 1700, FOB Los Angeles, California San Diego Federal Office Building 9797 Aero Drive San Diego, California Sacramento 4500 Orange Grove Avenue Sacramento, California (916) San Francisco 450 Golden Gate Avenue, 13th. Floor San Francisco, California Secret Service Fresno Riverside Sacramento San Diego San Jose Santa Ana Ventura Electronic Crimes Task Force Los Angeles laxectf@einformation.usss.gov Electronic Crimes Task Force San Francisco sfoectf@einformation.usss.gov DataBreachServices@Intersections.com

15 SUmmary of Law - EFFECTIVE DATE - 7/1/06 colorado What is a breach: Unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information that was, or is reasonably believed to have been acquired by an unauthorized person. When is notice required: Computerized data containing personal information: unencrypted, un-redacted. Personal information: First name or first initial and last name in combination with (1) Social Security number; (2) drivers license or identification card number; or (3) account number, credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an individual financial account. Who has to notify: A person that owns or licenses computerized data. A person that maintains computerized data must notify and cooperate with the owner or licensee. Who has to be notified: The individual. The nationwide credit reporting agencies must be notified if more than 1,000 individuals receive notice at one time. Regulatory/law enforcement notice not specifically addressed. Required contents of notice: Not specifically addressed. Timing of notice: The most expedient time possible and without unreasonable delay and as soon as possible after a prompt investigation into the likelihood that a security breach will lead to the misuse of personal information. Notification may be delayed for legitimate needs of law enforcement if notification would impede a criminal investigation. Law enforcement must make a request to delay notification. Notification is required in good faith, without unreasonable delay, and as soon as possible after the law enforcement agency determines that it will not compromise the investigation. Notification may be delayed to determine the scope of the breach and restore the reasonable integrity of the system. Permitted delivery of notice: Written. Electronic, if the person s primary method of communication is electronic or if electronic notice is consistent with E-Sign requirements. Telephonic. Substitute notice may be done if cost of providing notice exceeds $250,000 or number of persons exceeds 250,000 or sufficient contact information not available. All of the following must be done: (i) ; (ii) web site posting; and (iii) notice to major statewide media DataBreachServices@Intersections.com 15

16 COlorado (continued) WHEN IS NOTICE NOT REQUIRED Harm trigger: Notice is not required if an investigation determines that misuse of information has not occurred and is not reasonably likely to occur. Statutory: Entities are deemed to be in compliance with some or all of the state statute s requirements if they are regulated by state or federal law and procedures are maintained pursuant to laws, rules, regulations, or guidelines established by the primary or functional state or federal regulator. Existing Policy: Certain notice requirements may be satisfied if a person or a commercial entity maintains its own notification procedures consistent with the timing requirements of state law; and if the person or the commercial entity notifies affected individuals in accordance with its policies. Good Faith: Notice is not required if there has been a good faith acquisition of personal information by an employee or agent of the individual or commercial entity for the purposes of the individual or commercial entity if the personal information is not used for or is not subject to further unauthorized disclosure. Public Records: Notice is not required if the information consists of records of publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media. Encryption: Notice is not required if the personal information was encrypted. STATUTE CITATION Colo. Revised Statutes lpext.dll?f=templates&fn=main-h. htm&cp= ATTORNEY GENERAL John Suthers, Esquire Attorney General Colorado 1525 Sherman Street Denver, CO FBI Denver 8000 East 36th Avenue Denver, Colorado Secret Service Denver DataBreachServices@Intersections.com

17 SUmmary of Law - EFFECTIVE DATE - 1/1/06 Connecticut What is a breach: Unauthorized access to or acquisition of personal information that was, or is reasonably believed to have been, accessed by an unauthorized person. When is notice required: Electronic files, media databases or computerized data containing personal information: unencrypted or unsecured by other means that renders personal information unusable or unreadable. Personal information: First name or first initial and last name in combination with (1) Social Security number; (2) drivers license or identification card number; or (3) account number, credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an individual financial account. Who has to notify: A person that owns or licenses electronic data. A person that maintains computerized data must notify the owner or licensee. Who has to be notified: The individual. Regulatory/law enforcement notice not specifically addressed. Required contents of notice: Not specifically addressed. Timing of notice: Without unreasonable delay. Notification may be delayed for law enforcement if notification would impede a criminal investigation. Law enforcement must make a request to delay notification. Notification is required after the law enforcement agency determines it will not compromise the investigation and so notifies the person to send the notification. Notification may be delayed to determine the nature and scope of the breach, identify individuals affected, or to restore the reasonable integrity of the system. Permitted delivery of notice: Written. Electronic, if the person s primary method of communication is electronic or if electronic notice is consistent with E-Sign requirements. Telephonic. Substitute notice may be done if cost of providing notice exceeds $250,000 or number of persons exceeds 500,000 or sufficient contact information not available. All of the following must be done: (i) (when available); (ii) web site posting; and (iii) notice to major statewide media DataBreachServices@Intersections.com 17

18 Connecticut (continued) WHEN IS NOTICE NOT REQUIRED Harm trigger (with limitation): Notification not required if, after an appropriate investigation and consultation with relevant federal, state, and local agencies responsible for law enforcement, the person reasonably determines that harm will not likely result. Existing Policy: Certain notice requirements may be satisfied if an individual or commercial entity maintains its own security breach procedures consistent with the timing requirements of state law; and notifies affected individuals in accordance with its policies. Good Faith: Notice is not required if there has been a good faith acquisition of personal information by an employee or agent of the individual or commercial entity for the purposes of the individual or commercial entity if the personal information is not used for or is not subject to further unauthorized disclosure. Public Records: Notice is not required if the information consists of records of publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media. Encryption: Notice is not required if the personal information was encrypted. STATUTE CITATION Conn. Statutes 36a b pub_statutes.html ATTORNEY GENERAL Richard Blumenthal, Esquire Attorney General of Connecticut 55 Elm Street Hartford, CT FBI New Haven 600 State Street New Haven, Connecticut Secret Service New Haven DataBreachServices@Intersections.com

19 SUmmary of Law - EFFECTIVE DATE - 6/28/05 delaware What is a breach: Unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information that was, or is reasonably believed to have been, accessed by an unauthorized person. When is notice required: Computerized data containing personal information: unencrypted. Personal information: First name or first initial and last name in combination with (1) Social Security number; (2) drivers license or identification card number; or (3) account number, credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an individual financial account; (4) Individually identifiable information, in electronic or physical form, regarding the Delaware resident s medical history, medical treatment or diagnosis by a health care professional. Who has to notify: A person that owns or licenses computerized data. A person that maintains computerized data must notify and cooperate with the owner or licensee. Who has to be notified: The individual. Regulatory/law enforcement notice not specifically addressed. Required contents of notice: Not specifically addressed. Timing of notice: The most expedient time possible and without unreasonable delay. Notification may be delayed for legitimate needs of law enforcement if notification would impede a criminal investigation. Notification is required in good faith without unreasonable delay and as soon as possible after the law enforcement agency determines it will not compromise the investigation. Notification may be delayed to determine the scope of the breach and restore the reasonable integrity of the system. Permitted delivery of notice: Written. Electronic, if the person s primary method of communication is electronic or if electronic notice is consistent with E-Sign requirements. Telephonic. Substitute notice may be done if cost of providing notice exceeds $75,000 or number of persons exceeds 100,000 or sufficient contact information not available. All of the following must be done: (i) ; (ii) web site posting; and (iii) notice to major statewide media DataBreachServices@Intersections.com 19

20 Delaware (continued) WHEN IS NOTICE NOT REQUIRED Harm trigger: Notice is not required if, after a reasonable and prompt investigation is conducted, it is determined that the misuse of information has not and is not reasonably likely to occur. Statutory: Entities are deemed to be in compliance with some or all of the state statute s requirements if they are regulated by State or federal law and procedures are maintained pursuant to laws, rules, regulations, or guidelines established by the primary or functional State or federal regulator and notice is provided in accordance with these procedures if a breach occurs. Existing Policy: Certain notice requirements may be satisfied if an individual or a commercial entity maintains its own notice procedures consistent with the timing requirements of state law; and if the individual or the commercial entity notifies affected individuals in accordance with its policies. Good Faith: Notice is not required if there has been a good faith acquisition of personal information by an employee or agent of the individual or commercial entity for the purposes of the individual or commercial entity if the personal information is not used or subject to further unauthorized disclosure. Public Records: Notice is not required if the information consists of records of publicly available information that is lawfully made available to the general public from federal, state, or local government records. Encryption: Notice is not required if the personal information was encrypted. STATUTE CITATION Del. Code 6 12B-102 (2006) vwlegislation/hb+116/$file/legis.html?open ATTORNEY GENERAL Joseph R. Biden, III, Esquire Attorney General of Delaware Carvel State Office Building 820 N. French Street Wilmington, DE Secret Service Wilmington DataBreachServices@Intersections.com

21 SUmmary of Law - EFFECTIVE DATE - 7/1/07 District of Columbia What is a breach: Unauthorized acquisition of computerized or other electronic data, or any equipment or device storing such data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. When is notice required: Electronic or computerized data containing personal information or equipment storing such data that has not been rendered secure so as to be unusable by an unauthorized third party. Personal information: (I) First name or first initial and last name in combination with (1) Social Security number; (2) drivers license or identification card number; or (3) credit card number or debit card number; OR (II) any other number or code or combination, such as account number, security code, access code, or password, that allows access to an individual s financial or credit account. Who has to notify: A person that owns or licenses electronic or computerized data. A person that maintains computerized data must notify the owner or licensee. Who has to be notified: The individual. The nationwide credit reporting agencies must be notified if more than 1,000 individuals receive notice at one time. Regulatory/law enforcement notice not specifically addressed. Required contents of notice: Not specifically addressed. Timing of notice: The most expedient time possible and without unreasonable delay. Notification may be delayed for law enforcement if notification would impede a criminal investigation. Notification is required as soon as possible after the law enforcement agency determines it will not compromise the investigation. Notification may be delayed to determine the scope of the breach and restore the reasonable integrity of the system. Permitted delivery of notice: Written. Electronic, if the consumer consents or if electronic notice is consistent with E-Sign requirements. Substitute notice may be done if cost of providing notice exceeds $50,000 or number of persons exceeds 100,000 or sufficient contact information not available. All of the following must be done: (i) ; (ii) web site posting; and (iii) notice to major local, and if applicable, national media DataBreachServices@Intersections.com 21

22 DISTRICT OF COLumbia (continued) WHEN IS NOTICE NOT REQUIRED Statutory: Notice is not required to credit reporting agencies under the statute if the entity is subject to the Gramm-Leach-Bliley Act (GLB). Existing Policy: Certain notice requirements may be satisfied if a person or business maintains its own notification procedures consistent with the timing requirements of state law; and if the person or business provides notice, in accordance with its policies, reasonably calculated to give actual notice to affected individuals. Good Faith: Notice is not required if there has been a good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business if the personal information is not used improperly or subject to further unauthorized disclosure. Public Records: Notice is not required if the information consists of publicly available information that is lawfully made available to the general public from federal, state, or local government records. Encryption: Notice is not required if the data has been rendered secure, so as to be unusable by an unauthorized third party. STATUTE CITATION D.C. Code through 53 linkedslice/default.asp?sp=dcc-1000 ATTORNEY GENERAL Peter Nickles, Esquire Attorney General of the District of Columbia John A. Wilson Building 1350 PA Avenue, NW, Suite 409 Washington, DC FBI Washington Washington Metropolitan Field Office 601 4th Street, N.W. Washington, D.C Secret Service Electronic Crimes Task Force Washington DC wfoectf@einformation.usss.gov DataBreachServices@Intersections.com

23 SUmmary of Law - EFFECTIVE DATE - 7/1/05 florida What is a breach: Unlawful and unauthorized acquisition of unencrypted data that compromises the security, confidentiality, or integrity of personal information that was, or is reasonably believed to have been, accessed by an unauthorized person. When is notice required: Computerized data containing personal information: unencrypted. Personal information: First name or first initial and last name or any middle name and last name in combination with (1) Social Security number; (2) drivers license or identification card number; or (3) account number, credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an individual financial account. Who has to notify: A person with a direct business relationship with the resident or pursuant to an agreement. A person that maintains computerized data must notify the owner or licensee within 10 business days. Who has to be notified: The individual. The business entity on whose behalf data is maintained. The nationwide credit reporting agencies must be notified if more than 1,000 individuals receive notice in a single occurrence. Regulatory/law enforcement notice not specifically addressed. Required contents of notice: Not specifically addressed. Timing of notice: Without unreasonable delay, but no later than 45 days following determination of the breach or notice from law enforcement. Notification may be delayed for legitimate needs of law enforcement if notification would impede a criminal investigation. Notification is required after the law enforcement agency determines it will not compromise the investigation. Notification may be delayed to determine the presence, nature and scope of the breach and restore the reasonable integrity of the system. Permitted delivery of notice: Written. Electronic, if consumer consent and consistent with E-Sign OR if the person or business providing the notice has a valid address for the subject person and the subject person has agreed to accept communications electronically. Substitute notice may be done if cost of providing notice exceeds $250,000 or number of persons exceeds 500,000 or sufficient contact information not available. All of the following must be done: (i) ; (ii) web site posting; and (iii) notice to major statewide media DataBreachServices@Intersections.com 23

24 FLORIDA (continued) WHEN IS NOTICE NOT REQUIRED Harm trigger: Notice is not required if, after an appropriate investigation or after consultation with relevant law enforcement, it is determined that the breach has not and will not likely result in harm. The determination must be documented in writing for five years. Statutory: Entities are deemed to be in compliance with some or all of the state statute s requirements if they are subject to rules, regulations, procedures or guidelines established by their federal functional regulator, if notice is made in accordance with those requirements in the event of a breach. Existing Policy: Certain notice requirements may be satisfied if a person or business maintains its own notification procedures consistent with the timing requirements of state law; and if the person or business provides notice, in accordance with its policies, reasonably calculated to give actual notice to affected individuals. Good Faith: Notice is not required if there has been a good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business if the personal information is not used improperly or subject to further unauthorized disclosure. Public Records: Notice is not required if the information consists of publicly available information that is lawfully made available to the general public from federal, state, or local government records. Encryption: Notice is not required if the data has been rendered secure, so as to be unusable by an unauthorized third party. STATUTE CITATION Fla. Statutes Ann. title index.cfm?app_mode=display_ Statute&URL=Ch0817/ch0817.htm ATTORNEY GENERAL Bill McCollum, Esquire Attorney General of Florida The Capitol 107 W. Gaines Street Tallahassee, FL FBI North Miami Beach Northwest Second Avenue North Miami Beach, Florida Jacksonville 6061 Gate Parkway Jacksonville, Florida Tampa 5525 West Gray Street Tampa, Florida Secret Service Fort Myers Jacksonville Tallahassee Tampa West Palm Beach Electronic Crimes Task Force Miami miaectf@einformation.usss.gov Electronic Crimes Task Force Orlando orlecwg@einformation.usss.gov DataBreachServices@Intersections.com

25 S U m m a ry o f L aw - E F F EC T I V E DAT E - 5/5/05 Georgia What is a breach: Unauthorized acquisition of unencrypted data that compromises the security, confidentiality, or integrity of personal information that was, or is reasonably believed to have been, accessed by an unauthorized person. When is notice required: Electronic or computerized data containing personal information: unencrypted or unredacted. Personal information: First name or first initial or middle name and last name in combination with (1) Social Security number; (2) drivers license or identification card number; (3) account number, credit card number or debit card number if such a number could be used without additional identifying information, access codes, or passwords; (4) account passwords or personal identification numbers or other access codes; or (5) any of the items listed in 1-4 when not in connection with the individual s first name or first initial and last name if the information compromised would be sufficient to perform or attempt to perform identity theft against the person whose information was compromised. Who has to notify: An information broker. A person that maintains computerized data on behalf of an information broker must notify the information broker within 24 hours following discovery of the breach. Who has to be notified: The individual. The information broker on whose behalf the data is maintained. The nationwide credit reporting agencies must be notified if more than 10,000 individuals receive notice at one time. Regulatory/law enforcement notice not specifically addressed. Required contents of notice: Not specifically addressed. Timing of notice: The most expedient time possible and without unreasonable delay. Notification may be delayed for legitimate needs of law enforcement if notification would compromise a criminal investigation. Notification is required after the law enforcement agency determines it will not compromise the investigation. Notification may be delayed to determine the scope of the breach and restore the reasonable integrity, security and confidentiality of the system. Permitted delivery of notice: Written. Telephonic. Electronic, if electronic notice is consistent with E-Sign requirements. Substitute notice may be done if cost of providing notice exceeds $50,000 or number of persons exceeds 100,000 or sufficient contact information not available. All of the following must be done: (i) ; (ii) web site posting; and (iii) notice to major statewide media DataBreachServices@Intersections.com 25

26 GEORGIA (continued) WHEN IS NOTICE NOT REQUIRED Existing Policy: Certain notice requirements may be satisfied if an information broker or data collector maintains its own notification procedures consistent with the timing requirements of state law; and if it notifies affected individuals in accordance with its policies. Good Faith: Notice is not required if there has been a good faith acquisition or use of personal information by an employee or agent of an information broker or data collector for the purposes of such information broker or data collector provided that the personal information is not used or subject to further unauthorized disclosure. Public Records: Notice is not required if the information consists of publicly available information that is lawfully made available to the general public from federal, state, or local government records. Encryption: Notice is not required if the data has been encrypted so as to be unusable by an unauthorized third party, and has not, or is not reasonably believed to have been, acquired by an unauthorized person. STATUTE CITATION Ga. Code (2006) legis/2005_06/fulltext/sb230.htm ATTORNEY GENERAL Thurbert E. Baker, Esquire Attorney General Georgia 40 Capitol Square, SW Atlanta, GA FBI Atlanta 2635 Century Parkway, Northeast Suite 400 Atlanta, Georgia Secret Service Albany Savannah Electronic Crimes Task Force Atlanta atlectf@einformation.usss.gov DataBreachServices@Intersections.com